How to manually set SSL certificates?

You put your key and certificate here. Here’s the example configuration.yaml entry for http from the docs:

# Example configuration.yaml entry
http:
  server_port: 12345
  ssl_certificate: /etc/letsencrypt/live/hass.example.com/fullchain.pem
  ssl_key: /etc/letsencrypt/live/hass.example.com/privkey.pem
  cors_allowed_origins:
    - https://google.com
    - https://www.home-assistant.io
  use_x_forwarded_for: true
  trusted_proxies:
    - 10.0.0.200
    - 172.30.33.0/24
  ip_ban_enabled: true
  login_attempts_threshold: 5

For lan to lan SSL you have 3 options.

  1. If you run a DNS server on your LAN, use a dynamic DNS service like DuckDNS or buy your own domain and set up something to keep the IP in sync as yours changes. Add a DNS rewrite rule to resolve a subdomain of the domain you picked to the LAN IP of HA for devices on your LAN. Use Let’s Encrypt to obtain an SSL certificate on that subdomain and add it to HA.

    • :white_check_mark: SSL on your LAN with a valid and publicly verifiable certificate.
    • :warning: if you want to do no port forwarding you’ll need to set up an alternative type of challenge, not the default http one. Can be tricky with DuckDNS or a similar free service
  2. If don’t run a DNS server on your LAN but are willing to purchase a domain you can add a DNS entry for a subdomain of a LAN IP (HAs LAN IP in this case). Not all hosting services let you do this, I know cloudflare does (because I do this) but ymmv on others. Then use Let’s Encrypt with a DNS challenge to obtain a certificate on that subdomain.

    • :white_check_mark: SSL on your LAN with a valid and publicly verifiable certificate and no ports forwarded.
  3. Create a self-signed certificate using openssl (or the tools of your choice) and add it to HA.

    • :warning: to use this successfully every app/device you need to talk to HA will need to be able handle a self-signed certificate. Either by uploading the certificate to it’s trust store or telling it to not verify the certificate. This will need to be done manually for every device and if one doesn’t have either of these options then it simply can’t talk to HA.
    • :information_source: If you’re considering this option I would recommend setting up a reverse proxy in front of HA. Add the self-signed cert to that and leave an option for devices to talk to HA directly using HTTP. Set up as many things as possible to talk to the reverse proxy but then there’s still a workaround for those that can’t handle a self-signed cert.

If you want more info on #2, vaultwarden publishes a guide on that particular approach. It’s for vaultwarden but most of the steps work for anything since they’re just describing what to do in cloudflare. Any service could be on the other end.